AI use control, upload protection, and audit evidence for institutions.
Register institutions, generate secure deployment kits, inspect AI use, and export audit evidence without storing raw sensitive content.
Loading system status…
Command Ledger
Loading…
Create institution
No institution action yet.
Institution Deployment Center
Generate institution-specific gateway, endpoint, browser guard, policy bundle, installation docs, checksums, and a downloadable ZIP package.
No deployment kit generated in this session.
Prompt Guard
No prompt inspected yet.
Document Upload Guard
No upload inspected yet.
Developer Guard
No code scanned yet.
Evidence Export
No evidence action yet.
How to use TekuBase AIGuard
1. Create the institution workspace
Open Institution Setup, enter the official institution ID, name, sector, and risk tier, then save. This creates the operating workspace used by Prompt Guard, Upload Guard, Developer Guard, deployment kits, and evidence exports.
Use stable IDs such as ministry-office-name or financial-institution-name.
Use risk tiers such as critical, high, medium, or standard.
Do not use real citizen or customer data during first tests.
2. Generate the deployment kit
Open Deployment Center and generate a secure deployment kit for the institution. The kit contains policy, gateway files, endpoint/browser deployment materials, installation documentation, checksums, and local enrollment secrets.
Download both the ZIP and the SHA-256 sidecar file.
Deliver kits through a secure internal channel only.
Rotate enrollment tokens after the first real installation.
3. Install the enforcement gateway
The gateway is installed on an institution server or VM. It receives AI-use inspection requests from the browser guard, endpoint agent, proxy/DNS/firewall integrations, and approved AI workspaces.
Keep the gateway inside the institution network or secured data center.
Connect DNS/proxy/firewall policy so users cannot bypass approved AI controls.
Test /health, /policy, and /inspect before staff rollout.
4. Enroll browsers and endpoints
Install the Browser Guard on managed Chrome/Edge browsers and the Endpoint Agent on pilot staff computers. These components detect risky AI websites, file upload attempts, sensitive text, clipboard leakage, code secrets, and unapproved AI tools.
Start with 5–20 pilot computers.
Use managed browser policy or IT device management.
Block direct access to unapproved AI websites at DNS/proxy/firewall level.
5. Inspect AI use
Use the guard modules for daily checks and pilot validation.
Prompt Guard: checks text before it is sent to an AI tool.
Upload Guard: checks documents and file contents before upload.
Developer Guard: checks AI-generated or pasted code for secrets, unsafe queries, and risky patterns.
6. Export evidence and verify audit chain
Open Evidence to verify the tamper-evident audit chain and export regulator-ready evidence. Evidence should include institution, deployment kit, guard decisions, blocked events, hashes, and executive summary.
Use evidence exports for internal audit, INSA readiness, board reporting, and regulator review.
Keep raw sensitive data out of reports; use hashes and redacted snippets only.
Export evidence after each pilot test cycle.
Operational rollout checklist
Step
Owner
Output
Approve pilot scope
Executive sponsor + security office
One institution, users, risk scope, success criteria
Create workspace
National or institution operator
Institution record and policy context
Generate kit
AIGuard operator
Signed ZIP, SHA-256 sidecar, installation guide
Install gateway
IT/network team
Gateway service reachable and health checked
Enroll devices
IT endpoint team
Browser/endpoint guards active on pilot computers
Enforce network policy
Network/security team
Unapproved AI bypass paths blocked or monitored
Run acceptance tests
Security + department users
Allowed public prompt, blocked restricted upload, blocked risky code
Export evidence
Auditor/operator
Evidence ZIP and verified audit chain
Security rule: Do not email deployment kits or enrollment-token files. Do not upload real citizen, customer, credential, or confidential data during first validation. Use controlled pilot data until the institution security office approves production traffic.